It looks like you're using an Ad Blocker.

Please white-list or disable AboveTopSecret.com in your ad-blocking tool.

Thank you.

 

Some features of ATS will be disabled while you continue to use an ad-blocker.

 

Firefox: Zero-Day Java Vulnerability

page: 1
0

log in

join
share:

posted on Oct, 1 2006 @ 11:29 AM
link   
It's not on US-CERT yet, but it will be. Nasty little browser flaw... aren't they all?
ZDNet and now that these guys have publicly exposed the flaw... turn off JS as a temp workaround. I'm sure a patch will be forth coming... Firefox is good about that.

Victor K.

38'




posted on Oct, 1 2006 @ 09:09 PM
link   

Originally posted by V Kaminski
I'm sure a patch will be forth coming


I don't know about that Victor. I just read the same Z-net article that you mentioned and I was a bit disheartened to notice that this flaw was referred to as being impossible to fix.


"Internet Explorer, everybody knows, is not very secure. But Firefox is also fairly insecure," said Spiegelmock, who in everyday life works at blog company SixApart. He detailed the flaw, showing a slide that displayed key parts of the attack code needed to exploit it.

The flaw is specific to Firefox's implementation of JavaScript, a 10-year-old scripting language widely used on the Web. In particular, various programming tricks can cause a stack overflow error, Spiegelmock said. The implementation is a "complete mess," he said. "It is impossible to patch." news.zdnet.com...


This evaluation by Speigelmock might also explain why IE still has not resolved the same JavaScript security flaw.

[edit on 10/1/2006 by benevolent tyrant]



posted on Oct, 1 2006 @ 09:46 PM
link   
The way I hear it as of Sunday night that a buffer over-run prompt patch is in the works from several sources... what does worry me is that these individuals claim to have another 30 or so "exploits" in the can. For now turn off JS if a worry.

We'll see how "impossible" the task the spokes-person mentioned is. I'd think that a "parse no more than" syntax would handle this... or perhaps an increase in the specificity of the browser requirements for such an argument are do-able? I tend to shy away from absolutes like "impossible" - who'd have thought that a double-backflip on a MX bike was possible even last year...

I'm confident a fix will be found as opposed to a workaround... I don't see it being left unpatched too long at any rate. That these individuals would demo such code publicly without mentioning it to the browser's creators with advanced warning is an indication of the problems in computing - mostly human, with less than honourable intent.

Oh well, they got their 30 seconds of fame... "King Black Hat" for almost the whole news cycle. We are fortunate to have a choice of browsers and code sources.

Victor K.

38'

[edit on 1-10-2006 by V Kaminski]



posted on Oct, 1 2006 @ 10:00 PM
link   

Originally posted by V Kaminski
That these individuals would demo such code publicly without mentioning it to the browser's creators with advanced warning is an indication of the problems in computing - mostly human, with less than honourable intent.

Oh well, they got their 30 seconds of fame... "King Black Hat" for almost the whole news cycle. We are fortunate to have a choice of browsers and code sources.

Victor K.
[edit on 1-10-2006 by V Kaminski]


I totally agree with you. It seems that you get these "script kiddies" who have been occupying their teen years "tagging" the Internet, so to speak, with their malicious "graffiti" for nothing more than "bragging rights" amongst their friends. Now that they've "grown up" and have jobs in the IT industry, they continue to be pre-occupied with the same agenda -- to have the distinction or "bragging rights" around the water cooler. The responsible thing to have done was, as you mentioned, to contact Mozilla with their discovery of the flaw. But, then, no one has ever accused a "script kiddie" with being responsible individual



posted on Oct, 1 2006 @ 10:19 PM
link   

Originally posted by benevolent tyrant

I don't know about that Victor. I just read the same Z-net article that you mentioned and I was a bit disheartened to notice that this flaw was referred to as being impossible to fix.

"It is impossible to patch."


ZDNet or not - I don't buy that. It's code ......... anything can be written.

If it can be written, it can be exploited.
If it can be exploited, it can be patched.

Misfit



posted on Oct, 3 2006 @ 09:47 AM
link   
Things are not always as they seem... or so it would seem... most unseeming. Our "impossible to patch" guys may have been pulling a joke in bad taste? pehaps not but they sure are dancing rather quickly and to a different tune.

I don't like these guys whether they are skilled or not. Here' a couple of links for those with an interest. Were they bought to "retract" their statements especially "the 30 exploits in the can"? or just an attack of morality or fear of "never working in this town again"? There must be more to this... stack overflows are not buffer overflows and a bit harder to generate... not exactly cut and paste stuff...

Well, anyway Moz does have 'fox 2 in the pipe at RC1 and have had for a while and it does have a different JS handling schema... I have no idea if it will parse requests with more specificity...

Moz Beta Center Statement - is this evidence of a retraction by "Private Cody" and his "Lost-Planet BumBoy"? Or evidence of "no honour amongst theives". They were pretty "brave-stuff" last weekend... (I wouldn't want to be them right about now).

SecurityProNews's take on the deal - buddy was there for the demo.

And if there's "no problem" then why the level of concern at US-CERT? BTW: The Intel Apple stuff is ready... and I thought "Apache Server" was appropriately named... didn't a guy named Adam get into some bother when an associate bit some piece of fruit... nah, couldn't be.

Victor K.

38'

[edit on 3-10-2006 by V Kaminski]



new topics

top topics
 
0

log in

join